Threat Research

Inside Vietnamese Threat Actor Lone None’s Copyright Takedown-Spoofing Campaign

Cofense
Inside Vietnamese Threat Actor Lone None’s Copyright Takedown-Spoofing Campaign

Cofense Intelligence tracked Lone None campaigns delivering Pure Logs Stealer and a new Lone None Stealer that use copyright-takedown email lures, Telegram bot profile pages for payload delivery, and obfuscated Python-based payloads to steal cryptocurrency via clipboard replacement. The campaign abuses legitimate programs (Haihaisoft PDF Reader, certutil.exe, WinRAR), installs a staged Python interpreter in C:UsersPublicWindows (svchost.exe), and reports clipboard replacements to a Telegram bot C2. #LoneNoneStealer #PureLogsStealer #TelegramBot

Keypoints

  • Lone None uses copyright infringement takedown emails spoofing legal firms in multiple languages to socially engineer victims into downloading archives containing malicious payloads.
  • Initial payload delivery often uses short links (tr[.]ee, goo[.]su) and archives hosted on free file-sharing services (Dropbox, MediaFire) containing legitimate documents plus mismatched-extension payloads.
  • Attack chain repurposes legitimate software: a malicious DLL acts as a Python installer, certutil.exe decodes a disguised archive, and a bundled WinRAR executable extracts the payload.
  • Payload staging installs Python to C:UsersPublicWindows with a renamed interpreter (svchost.exe) and adds a Run registry entry for persistence.
  • Delivery and C2 use Telegram: a bot profile bio stores part of a URL payload pointing to paste[.]rs and 0x0[.]st-hosted Python scripts that load Pure Logs Stealer and Lone None Stealer.
  • Lone None Stealer focuses on cryptocurrency theft by detecting and replacing clipboard wallet addresses with actor-controlled wallets and notifying the actor via Telegram bot API calls.
  • Payloads employ multiple obfuscation layers (Base64/Base85, AES) and evolving complexity to evade sandbox analysis; campaign observed since late 2024 with Lone None Stealer tracked since June 2025.

MITRE Techniques

  • [T1204] User Execution – Campaign uses socially engineered copyright takedown emails with links to download archives, prompting victims to execute installers (“embedded link to download an archive file containing a maliciously repurposed legitimate program”).
  • [T1105] Ingress Tool Transfer – Payloads and installers are hosted on Dropbox/MediaFire and delivered via short links (tr[.]ee, goo[.]su) and redirected URLs (“the archive files are typically hosted on free file-sharing services such as Dropbox and MediaFire”).
  • [T1218] System Binary Proxy Execution – certutil.exe is abused to decode a disguised archive file (“certutil.exe is used to decode Document.pdf and save the decoded as Invoice.pdf”).
  • [T1543] Create or Modify System Process – A registry Run key is added for persistence to execute the staged Python interpreter on startup (“a Windows registry key is added to execute the script on startup as persistence”).
  • [T1059.006] Command and Scripting Interpreter: Python – Malicious Python scripts are installed and executed via a staged Python interpreter to run further payloads (“the staged Python interpreter ‘svchost.exe’ is used to run a malicious Python script named ‘images.png’”).
  • [T1090] Proxy: External Remote Services (Telegram) – Telegram bot profiles and bot API are used for C2 and payload retrieval (“the malicious Python script attempts to retrieve a Telegram bot profile page… The argument ‘MRB_NEW_VER_BOT’ is used to specify the Telegram bot name that is used as a C2”).
  • [T1605] Data Manipulation – Clipboard Data – Lone None Stealer detects cryptocurrency addresses in the clipboard and replaces them with actor-controlled wallet addresses (“When a cryptocurrency wallet address is detected in the clipboard, Lone None Stealer will quietly replace it with an address specified by the threat actor”).
  • [T1027] Obfuscated Files or Information – Payloads use Base64/Base85 encoding and AES encryption to evade analysis (“multiple levels of obfuscation through text encoding (typically in Base64 or Base85) and encryption via AES”).

Indicators of Compromise

  • [File Path] Staged Python installation – C:UsersPublicWindowssvchost.exe (Python interpreter) and C:UsersPublicWindowsLibimages.png (malicious script).
  • [Registry] Persistence – HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun entry launching C:UsersPublicWindowssvchost.exe and a mismatching-extension Python script.
  • [Domains/URLs] Payload hosting and retrieval – example short links tr[.]ee / goo[.]su redirectors; paste[.]rs and 0x0[.]st used for Python payload hosting (e.g., paste[.]rs/RWqFD, 0x0[.]st links).
  • [Telegram API/IDs] C2 and exfiltration – Telegram bot API endpoint and bot token pattern used to report clipboard replacements (example: api[.]telegram[.]org/bot7414494371:AAFbG9…/sendMessage?chat_id=1916486798).
  • [Cryptocurrency Addresses] Wallets used for clipboard replacement – 1DPguuHEophw6rvPZZkjBA3d8Z9ntCqm1L (Bitcoin), qqaffr86936tqskawz2xze5q3l04tre7uulwu0cqn5 (BitcoinCash), and multiple other wallets listed (and other wallet addresses in Table 1).

Read more: https://cofense.com/blog/inside-vietnamese-threat-actor-lone-none-s-copyright-takedown-spoofing-campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint